NSA Too Focused On Perimeter Defense, Clarke Says

The Former White House cybersecurity adviser says the NSA's focus on perimeter security made it vulnerable to insider Edward Snowden.

Despite a drumbeat of high-profile data breaches in recent years, the National Security Agency and many other federal agencies continue to focus on outdated perimeter security practices, leaving networks vulnerable to insider threats, former White House cybersecurity adviser Richard Clarke warned at this week's RSA security conference in San Francisco.

"NSA was hacked," Clarke said. Despite having some of the best outward-facing security in the world, Edward Snowden was able to access and steal classified information without setting off alarms, "because NSA had terrible internal security."

The NSA, one of the world's most capable organizations in cyberoffense, is lousy at defense, he said.

Clarke, a security consultant who took part in the presidential review that recommended revamping the NSA's intelligence-gathering operations in the wake of the Snowden breach, made his comments at a Feb. 25 news conference hosted by Bit9 and Carbon Black at the RSA conference.

He also spoke at length on how the NSA's controversial intelligence collection activities have damaged relations with multinational companies that host data around the word, and he raised concerns about the safety of data traveling through US networks.

Intrusions are increasing in government systems, with a 42% increase in breaches of personal information reported by agencies in fiscal 2012 over the year before to the Homeland Security Department's US Computer Emergency Response Team.

Intrusions in private-sector systems are also getting plenty of attention. A recent example is the theft of credit card information from millions of customers from Target and other large retailers over the holiday season. Once inside a network, intrusions can go undetected for long periods because of a lack of monitoring of network activity, Clarke said.

Yet security programs continue to focus on the perimeter at the expense of the network. "The money goes to firewalls. The money goes to antivirus. The money goes to intrusion detection and prevention systems, and we know these systems fail all the time."

Clarke, who sits on the board of Bit9, made a pitch for visibility tools offered by the company, and he said legislation is needed to raise the level of cybersecurity in the nation's critical infrastructure, both government and privately owned. "Ultimately, I would like to see regulation," because market forces have failed to protect the national security and economy, but it isn't going to happen under the current Congress.

In the absence of regulation, Clarke called the president's 2013 executive order on infrastructure security and the resulting Cybersecurity Framework a good first step -- but only a step -- toward improved security.

He also called for revamping the NSA's intelligence-gathering programs and for increased transparency in the spy agency's oversight. Too often, it gathers information because it can, rather than because it should. While praising the current agency leadership, he said, "It's not a crazy idea" that the government could abuse information it has gathered, citing FBI abuses in earlier decades.

The NSA's problem is not a lack of controls, Clarke said, but the fact that oversight occurs in secret, which undermines public trust. The NSA is much more closely regulated than most nations' intelligence agencies, with oversight from the judicial, legislative, and executive branches, "but there is no way for the American people to know that."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach (free registration required).

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio

I think you're right Tom that determined insiders are hard to beat. It is worth noting that after the Snowden incident, NSA chief Gen. Keith Alexander instituted a rule that two people had to be present to permit the downloading or transferring of data. Together with the right internal controls, that would make it harder though not impossible to make off with key data.

We must get to defense in depth, internal safeguards as well as perimeter defense, to achieve more secure operatoins. A rules engine should be watching user behavior to spot activity like Snowden's that's out of line.

I'd venture to say that the issue goes beyond poor internal security. Simply put, modern communications technology makes it extremely difficult to keep secrets. Even if the NSA was on top of everything, I suspect a determined insider could take data outside the organization. It's just too difficult to simultaneously have data be readable and protected.

So Richard Clarke believes the NSA's biggest problem comes from insider threats who then rightfully divulge governmental abuse of power? Clearly, he still lives in the same, elite ivory tower he always has when he was receiving a paycheck from the agency.

The 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?